TEL2813/IS2820 Security Management
Lecture 1Jan 15, 2008
Contact
James Joshi706A, IS BuildingPhone: 412-624-9982 E-mail: [email protected]: http://www.sis.pitt.edu/~lersais/IS2820/Spring07/Office Hours: Monday: 1.00 – 3.00 p.m. or By appointmentsGSA: will be announced later
Course objective
The course is aimed at imparting knowledge and skill sets required to assume the overall responsibilities of administration and management of security of an enterprise information system.
Course objective
After the course, ability to to carry outdetailed analysis of enterprise security by performing various types of analysis
vulnerability analysis, penetration testing, audit trail analysis, system and network monitoring, and Configuration management, etc.
Carry out the task of security risk managementusing various practical and theoretical tools.
Course objective
After the course, ability to carry outDesign detailed enterprise wide security plans and policies, and deploy appropriate safeguards (models, mechanisms and tools) at all the levels due consideration to
the life-cycle of the enterprise information systems and networks, legal and social environment
Be able to certify products according to IA standards (Common Criteria Evaluations)
Course contentIntroduction to Security Management
Security policies/models/mechanismsSecurity Management Principles, Models and PracticesSecurity Planning/ Asset ProtectionSecurity Programs and Disaster Recovery Plans
Standards and Security Certification Issues
Rainbow Series, Common CriteriaSecurity Certification Process
National/International Security Laws and Ethical Issues
Security Analysis and Safeguards Vulnerability analysis (Tools & Tech.)Penetration testingRisk ManagementProtection Mechanisms and Incident handling
Access Control and Authentication architectureConfiguration ManagementAuditing systems audit trail analysisNetwork defense and countermeasures
Intrusion Detection Systems (SNORT)Architectural configurationsFirewall configurationsVirtual private networksComputer and network forensic
Privacy ProtectionCase studies
Lab exercises
Course MaterialRecommended course material
Management of Information Security, M. E. Whitman, H. J. MattordGuide to Disaster Recovery, M. ErbschildeGuide to Network Defense and Countermeasures, G. HoldenReal Digital Forensics: Computer Security and Incident Response, 1/e; Keith J. Jones, Richard Bejtlich, Curtis W. RoseComputer Security: Art and Science, Matt Bishop (ISBN: 0-201-44099-7), Addison-Wesley 2003Security in Computing, 2nd Edition, Charles P. Pfleeger, Prentice HallSoftware Security: Building Security In (by Gary McGraw) The Art of Software Security Assessment : Identifying and Preventing Software Vulnerabilities (by Mark Dowd, John McDonald, Justin Schuh)
A list of papers and NIST/GAO documents for reading
Tentative Grading
Assignments (50%)Homework/Quiz/Paper review/Lab (35%)Class Participation/Seminar attendance (5%)2-3 presentation (10%)
Exams 20%Project 30%
Course PoliciesYour work MUST be your own
Zero tolerance for cheating/plagiarismYou get an F for the course if you cheat in anything however small – NO DISCUSSIONDiscussing the problem is encouraged
HomeworkPenalty for late assignments (15% each day)Ensure clarity in your answers – no credit will be given for vague answersHomework is primarily the GSA’s responsibility
Check webpage for everything!You are responsible for checking the webpage for updates
Introduction
Introduction
Information technology is critical to business and societyComputer security is evolving into information securityInformation security is the responsibility of every member of an organization, but managers play a critical role
Introduction
Information security involves three distinct communities of interest
Information security managers and professionalsInformation technology managers and professionals Non-technical business managers and professionals
Communities of Interest
InfoSec community: protect information assets from threats
IT community: support business objectives by supplying appropriate information technology
Business community: policy and resources
What Is Security?
“The quality or state of being secure—to be free from danger”
Security is achieved using several strategies simultaneously
Security and Control
ExamplesPhysical securityPersonal securityOperations securityCommunications securityNetwork security
ControlsPhysical ControlsTechnical ControlsAdministrative
Prevention – Detection –Recovery
Deterrence, Corrective
InfoSec Components
CIA Triangle
The C.I.A. triangle is made up ofConfidentialityIntegrityAvailability
Over time the list of characteristics has expanded, but these three remain centralCNSS model is based on CIA
NSTISSC Security Model (4011)
Key Concepts: Confidentiality
Confidentialityonly those with sufficient privileges may access certain information
Confidentiality modelBell-LaPadula
No write down & No read up
TCSEC/TNI (Orange, Red Book)
Some threatsHackersMasqueradersUnauthorized usersUnprotected download of filesLANSTrojan horses
Key Concepts: Integrity
IntegrityIntegrity is the quality or state of being whole, complete, and uncorrupted
Integrity modelBiba/low water mark
No write up & No read downClark-Wilson
Separation of dutyLipner
Other issuesOrigin integrityData integrity
Key Concepts: Availability
Availabilitymaking information accessible to user access without interference or obstruction
SurvivabilityEnsuring availability in presence of attacks
Key Concepts: privacy
PrivacyInformation is to be used only for purposes known to the data ownerThis does not focus on freedom from observation, but rather that information will be used only in ways known to the owner
Key Concepts: Identification
IdentificationInformation systems possess the characteristic of identification when they are able to recognize individual usersIdentification and authentication are essential to establishing the level of access or authorization that an individual is granted
Key Concepts: Authentication & Authorization
AuthenticationAuthentication occurs when a control provides proof that a user possesses the identity that he or she claims
Authorizationauthorization provides assurance that the user has been specifically and explicitly authorized by the proper authority to access the contents of an information asset
Key Concepts: Accountability; Assurance
AccountabilityThe characteristic of accountability exists when a control provides assurance that every activity undertaken can be attributed to a named person or automated process
AssuranceAssurance that all security objectives are met
What Is Management?
A process of achieving objectives using a given set of resourcesTo manage the information security process, first understand core principles of managementA manager is
“someone who works with and through other people by coordinating their work activities in order to accomplish organizational goals”
Managerial Roles
Informational role: Collecting, processing, and using information to achieve the objectiveInterpersonal role: Interacting with superiors, subordinates, outside stakeholders, and otherDecisional role: Selecting from alternative approaches and resolving conflicts, dilemmas, or challenges
Differences Between Leadership and Management
The leader influences employees so that they are willing to accomplish objectivesHe or she is expected to lead by example and demonstrate personal traits that instill a desire in others to followLeadership provides purpose, direction, and motivation to those that followA manager administers the resources of the organization, budgets, authorizes expenditure
Characteristics of a Leader
1. Bearing2. Courage 3. Decisiveness 4. Dependability 5. Endurance 6. Enthusiasm 7. Initiative
8. Integrity 9. Judgment 10. Justice 11. Knowledge 12. Loyalty13. Tact 14. Unselfishness
Used by US military
What Makes a Good Leader?Action plan1. Know yourself and seek
self-improvement2. Be technically and tactically
proficient3. Seek responsibility and take
responsibility for your actions
4. Make sound and timely decisions
5. Set the example6. Know your [subordinates]
and look out for their well-being
7. Keep your subordinates informed
8. Develop a sense of responsibility in your subordinates
9. Ensure the task is understood, supervised, and accomplished
10. Build the team11. Employ your team in
accordance with its capabilities
Leadership quality and typesA leader must:
BE a person of strong and honorable characterKNOW you, the details of your situation, the standards to which you work, human nature, and your teamDO by providing purpose, direction, and motivation to your team
Three basic behavioral types of leaders: AutocraticDemocraticLaissez-faire
Characteristics of Management
Two well-known approaches to management:
Traditional management theory using principles of planning, organizing, staffing, directing, and controlling (POSDC)Popular management theory using principles of management into planning, organizing, leading, and controlling (POLC)
The Planning–Controlling Link
Planning & Organization
Planning: process that develops, creates, and implements strategies for the accomplishment of objectivesThree levels of planning
StrategicTacticalOperational
• Organization: structuring of resources to support the accomplishment of objectives
Leadership
Encourages the implementation of the planning and organizing functions,
Includes supervising employee behavior, performance, attendance, and attitude
Leadership generally addresses the direction and motivation of the human resource
Control
Control:Monitoring progress toward completionMaking necessary adjustments to achieve the desired objectives
Controlling function determines what must be monitored as well as using specific control tools to gather and evaluate information
Control Tools
Four categories:Information
Information flows/ communicationsFinancial
Guide use of monetary resources (ROI,CBA,..)Operational
PERT, Gantt, process flowBehavioral
Human resources
The Control Process
Solving Problems
Step 1: Recognize and Define the ProblemStep 2: Gather Facts and Make AssumptionsStep 3: Develop Possible Solutions (Brainstorming)Step 4: Analyze and Compare the Possible Solutions (Feasibility analysis)Step 5: Select, Implement, and Evaluate a Solution
Feasibility AnalysesEconomic feasibility assesses costs and benefits of a solutionTechnological feasibility assesses an organization’s ability to acquire and manage a solutionBehavioral feasibility assesses whether members of the organization will support a solutionOperational feasibility assesses if an organization can integrate a solution
Principles Of Information Security Management
The extended characteristics of information security are known as the six Ps:
PlanningPolicyProgramsProtectionPeopleProject Management
InfoSec Planning
Planning as part of InfoSec management is an extension of the basic planning model discussed earlier
Included in the InfoSec planning model are activities necessary to support the design, creation, and implementation of information security strategies as they exist within the IT planning environment
InfoSec Planning Types
Several types of InfoSec plans exist:Incident responseBusiness continuityDisaster recoveryPolicyPersonnelTechnology rollout Risk management and Security program including education, training and awareness
PolicyPolicy: set of organizational guidelines that dictates certain behavior within the organizationIn InfoSec, there are three general categories of policy:
General program policy (Enterprise Security Policy)An issue-specific security policy (ISSP)
E.g., email, Intenert useSystem-specific policies (SSSPs)
E.g., Access control list (ACLs) for a device
Programs
Programs are operations managed as specific entities in the information security domainExample:
A security education training and awareness (SETA) program is one such entity
Other programs that may emerge include a physical security program, complete with fire, physical access, gates, guards, and so on
Protection
Risk management activities, including risk assessment and control, &
Protection mechanisms, technologies & tools
Each of these mechanisms represents some aspect of the management of specific controls in the overall security plan
People
People are the most critical link in the information security program
Human firewallIt is imperative that managers continuously recognize the crucial role that people play; includes
information security personnel and the security of personnel, as well as aspects of the SETA program
Project Management
Project management discipline should be present throughout all elements of the information security programInvolves
Identifying and controlling the resources applied to the projectMeasuring progress and adjusting the process as progress is made toward the goal